informa
/
Risk
Commentary

Path To Becoming An Infosec Pro

Last Friday, my blog entry discussed how many companies out there are disrespecting IT security by inundating infosec professionals with system administration and network management tasks to the point that security is put on the back burner. I've received some excellent feedback from readers, including an e-mail asking what route someone should take to become an infosec professional.
Last Friday, my blog entry discussed how many companies out there are disrespecting IT security by inundating infosec professionals with system administration and network management tasks to the point that security is put on the back burner. I've received some excellent feedback from readers, including an e-mail asking what route someone should take to become an infosec professional.That's not an easy question considering the reader's comment made later in his message. He stated that he started off immediately in an infosec position and has found his lack of having a solid background in IT has been a bit of a hindrance. Excellent point. IT security is a very complex field with numerous specialization options -- like intrusion detection, pen testing, and forensics -- that all require detailed knowledge of IT and networking concepts.

Everyone I know in security has a slightly different story about how they began, but the common thread is almost no one went straight into the field. Infosec was something they were always interested in, but not as their main area of focus. Eventually, they gravitated toward infosec with focuses on things like vulnerability research and digital forensics.

My story is similar. I started off as a lowly tech in college while dreaming of one day becoming a Secret Service agent like my uncle. Somehow I ended up working my way from system administration to infosec because that's what I enjoyed. Others saw that, too, which led to new job opportunities. Having the background in IT is certainly important, but what I've discovered to be the most valuable assets an infosec pro can possess are a deep passion for security and the desire to learn.

Experimenting with new technologies and tools is also critically important, along with good training. What I didn't learn as a sysadmin I picked up while experimenting on my own time. I then took that knowledge to the next level by volunteering in what is now called the Work Study Program for SANS. I took courses 502 and 503 in perimeter protection and intrusion detection. After that, I spent a lot more time experimenting and breaking things, but was able to learn from my mistakes.

So what's the takeaway here? There is no single correct path to becoming an infosec professional. There isn't a Dummies book that will get you from point A to point B. If you don't have a passion for it and love what you do, then it might not be for you. And keep in mind that if you don't have an IT background, no problem. Just know that you'll have to try and make up for it through experimentation and training.

But, most important, have fun. Infosec is a fascinating industry with many facets to explore, so be sure to find an area you enjoy and go for it.

John H. Sawyer is a senior security engineer on the IT Security Team at the University of Florida. The views and opinions expressed in this blog are his own and do not represent the views and opinions of the UF IT Security Team or the University of Florida. When John's not fighting flaming, malware-infested machines or performing autopsies on blitzed boxes, he can usually be found hanging with his family, bouncing a baby on one knee and balancing a laptop on the other. Special to Dark Reading.

Recommended Reading:
Editors' Choice
Kirsten Powell, Senior Manager for Security & Risk Management at Adobe
Joshua Goldfarb, Director of Product Management at F5